Skip to content

Fail crossbuild loudly when Windows signing silently skips#2229

Draft
pose wants to merge 1 commit into
masterfrom
windows-signing-verify-guard
Draft

Fail crossbuild loudly when Windows signing silently skips#2229
pose wants to merge 1 commit into
masterfrom
windows-signing-verify-guard

Conversation

@pose

@pose pose commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

  • The Windows signing block in scripts/crossbuild.mk wraps the bash conditional in @set -e; if [[ ... ]]; then ...; fi. POSIX set -e is suppressed inside if condition lists, so if [[ ever fails (e.g. the recipe falls back to /bin/sh on a host where /bin/sh is dash) the condition silently returns false, the then-block is skipped, and the recipe exits 0 with an unsigned binary. CI stays green.

  • Add scripts/verify_signed.py, a small presence check that parses the PE Optional Header's Certificate Table directory entry and exits non-zero if it is empty.

  • Wire it into the bin/%/$(PROVIDER).exe recipe as its own recipe line (no if wrapping), guarded so it only runs when signing was expected:

    @[ "${GOOS}" != "windows" ] || [ "${SKIP_SIGNING}" = "true" ] || \
        python3 scripts/verify_signed.py "$@"

Because the verify is its own recipe line, make checks its exit code directly and fails the recipe on a missing signature. The set -e-inside-if antipattern can no longer hide a silently-skipped signing step.

Test plan

  • cd provider-ci && make all passes locally (Go unit tests, actionlint on regenerated test-providers).
  • verify_signed.py validated against a known-signed .exe (exit 0) and a known-unsigned .exe (exit 1 with the documented error).
  • Reviewer: confirm regenerated test-providers diff matches the template change. Each bridged test-provider should pick up the new scripts/verify_signed.py and the new recipe line.

Notes

Opened as draft for initial review. PR-field checklist (assignee, reviewers, milestone, project) will be filled once the diff is acked.

Part of pulumi/home#4655, pulumi/home#4656, pulumi/home#4657.

🤖 Generated with Claude Code

The signing block in `scripts/crossbuild.mk` wraps `az login` / `jsign`
in a `set -e; if [[ ... ]]; then ...; fi` recipe line. POSIX `set -e`
is documented to be suppressed inside `if` condition lists, so when
`[[` fails (e.g. the recipe falls back to /bin/sh on a host where
/bin/sh is dash), the condition silently returns false, the then-block
is skipped, and the recipe exits 0 with an unsigned binary while CI
stays green.

Add `scripts/verify_signed.py`, a small presence check that parses the
PE Optional Header's Certificate Table directory entry and exits non-
zero if it is empty. Wire it into the `bin/%/$(PROVIDER).exe` recipe
as its own recipe line, guarded so it only runs when signing was
expected:

    @[ "${GOOS}" != "windows" ] || [ "${SKIP_SIGNING}" = "true" ] || \
        python3 scripts/verify_signed.py "$@"

Because the verify is its own recipe line (no `if`-condition wrapping),
make checks its exit code directly and fails the recipe on a missing
signature. The set-e-inside-if antipattern can no longer hide a
silently-skipped signing step.

Part of pulumi/home#4655, pulumi/home#4656, pulumi/home#4657.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@pose pose force-pushed the windows-signing-verify-guard branch from 8d8d790 to 9cd594a Compare June 30, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant